Troubleshooting EAP-TLS with External Certificates

Matthew West matthew.t.west at gmail.com
Thu Aug 25 19:20:34 CEST 2016 

Hi Alan,

> first steps. turn those back on - and configure them correctly as required
> (read firewalld and selinux docs as required).

Yes, those will be turned back on. They were turned off to isolate the
FreeRADIUS issues I'm having.

> you talk about EAP-TLS...but your post only mentioned doing basic PAP and PEAP test - please don't
> confuse terminology.. you havent tested a client cert yet - which is probably important if you ARE
> doing EAP-TLS....

I was just stepping through the DeployingRADIUS steps to show that I
have a working system before attempting to test EAP-TLS again.  I've
tested PAP, EAP, and MS-CHAPv2 with the 'bob' test account on the
current system, successfully.  I've also gotten EAP-TLS to work with
production certs on a prior build.   Which leads me to...

> what cert are you using?  still a local one or a public one? I would advise keeping with local
> one....you talk about importing it to client, so that suggests its not one of the big public ones... good.

Funny you should mention that...  I've gotten EAP-TLS working just
fine with local production certs, previously, but I am trying to get
this to work with some of the 'big ones' and that's hwere I hit a
roadblock before.  The server certificate that I was given is a
wildcard (star.company.net) certificate from GoDaddy.  The client
certificates (we have about 65) are all e-mail/auth certificates from
VeriSign.  What do you see as the issue with using 3rd Party
Certificates and FreeRADIUS?  Are they not formatted in a standard
way?

> now you have a working system, start to comment/remove things out of it that you dont need -
> thinking PAP and plain CHAP etc methods. weak, insecure. use the permit_only_eap policy in your virtual server auth {} section to ensure only EAP requests are coming to it.

OK, that makes sense.  Right now I'm using the default server, so I'll
create a new file and make changes there.

Today, I will be testing with our certs and will post the output.
Thank you for your input and time Alan.  I appreciate it.

Thank You,

Matthew





On Thu, Aug 25, 2016 at 2:52 AM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
> hi,
>
> 1. Installed/Configured CentOS 7 (CentOS7-x86_64-1511)
>     a. Disabled SELinux
>     b. Disabled firewalld
>
> first steps. turn those back on - and configure them correctly as required
> (read firewalld and selinux docs as required).
>
>>Are there any steps I've missed?  Do I need to keep the 'dh' in /certs/?
>
> now you have a working system, start to comment/remove things out of it that you dont need -
> thinking PAP and plain CHAP etc methods. weak, insecure. use the permit_only_eap policy in your virtual server auth {} section to ensure only EAP requests are coming to it.
>
> of course you need the DH file - its part of the process.
>
> what cert are you using?  still a local one or a public one? I would advise keeping with local
> one....you talk about importing it to client, so that suggests its not one of the big public ones... good.
>
> you talk about EAP-TLS...but your post only mentioned doing basic PAP and PEAP test - please dont
> confuse terminology.. you havent tested a client cert yet - which is probably important if you ARE
> doing EAP-TLS....
>
> alan
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list